However, when calling a URL from Forms, don't pass username and password as values in your URL string. Instead create a random string (a Token if you will) save this token to a database table and pass this token in your URL string. Next, use the getBookmark API to read the token. Validate it against the table and continue with the application flow if the token is a valid one. You can even restrict the time a token is valid.